[qubes-users] Re: ThinkPad X270 USB C/Thunderbolt USB C type and docking station Qubes 4.0
onsdag den 20. marts 2019 kl. 13.33.27 UTC+1 skrev a...@it-minds.dk: > Hello qubes users! > > I currently acquired this dock > (https://www.dell.com/en-us/shop/dell-business-thunderbolt-dock-tb16-with-240w-adapter/apd/452-bcnu/pc-accessories), > and tried to connect it with my laptop, but it does not seem to work. > > I have found different posts here and there regarding the issue, and I think > the most common solution is turning on the computer with the cable attached. > This does NOT work however. > > I have not tried to boot up without attaching, and viewing lspci output, and > then comparing to when I have it connected. Will do that and post back if > there are no better suggestions for now. > > I have also NOT modified my kernel yet or done anything to the start up flags > (other than enabling USB devices in general, so I can use my keyboard and > mouse). > > I am running Qubes 4.0. > > Any help appreciated! > > Best regards! To future readers who own a ThinkPad X270: There is a USB C port, but it is NOT a Thunderbolt port. There was never any chance of getting the dock to work. If you want a ThinkPad X class with Thunderbolt, it should be in the X280 series and upwards probably. Thank you everybody for your time and for pitching in. Sorry for not doing my research before posting here. Best regards! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/be95e2b1-42b1-4912-8d4a-a46c744fdab2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: ThinkPad X270 USB C/Thunderbolt USB C type and docking station Qubes 4.0
Matthew Roy: > 3) Manually add and remove PCI devices provided by the dock from individual > Qubes (e.g. sysnet and sys-usb). The Qubes will no longer boot once the PCI > devices are not present after you unplug the dock, but at the same time they > can't be connected to the Qubes after boot since they don't have hotplug > enabled. So when you get to your desk you'll need to reboot the laptop, then > attach the PCI devices to sys-usb and sys-net, then restart those Qubes. > Restarting sysnet and sys-usb often results in broken tray icons, so at that > point you may also need to reboot the laptop (you can leave the dock connect > during this IME). After you leave your desk you'll need to boot without the > dock, remove the now-missing PCI devices from sys-net and sys-usb, and then > reboot again to get everything working again. Why not just assign those devices to new VMs, "sys-net-dock" and "sys-usb-dock"? When you get to your desk, just reboot with the dock attached--for very well-justified security reasons--and upon entering the desktop, switch the network provider for "sys-firewall" from "sys-net" to "sys-net-dock" and manually start "sys-usb-dock". -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8090d95a-7fb3-1497-58e4-cb989a3d5476%40riseup.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: ThinkPad X270 USB C/Thunderbolt USB C type and docking station Qubes 4.0
On Wednesday, March 20, 2019 at 10:08:36 AM UTC-4, Matthew Roy wrote: > So there are 3 things I needed to do to get Thunderbolt docks to work on a > laptop with Qubes: > 3) Manually add and remove PCI devices provided by the dock from individual > Qubes (e.g. sysnet and sys-usb). The Qubes will no longer boot once the PCI > devices are not present after you unplug the dock, but at the same time they > can't be connected to the Qubes after boot since they don't have hotplug > enabled. So when you get to your desk you'll need to reboot the laptop, then > attach the PCI devices to sys-usb and sys-net, then restart those Qubes. For this particular solution/complaint, I reiterate my recommendation of always turning off auto-start of sys-firewall and sys-net. A side-effect is that you'll get to the desktop sooner which might be nice for non-networked workflows. Optionally to avoid manual reconfiguration every boot, write and deploy a script that, based on the available PCI devices seen in dom0 at startup, sets the correct PCI associations to sys-net for dom0 startup, but before the desktop appears and the user can invoke another VM startup that could start those two before sys-net is configured. Can't fix the general hotplug issues and I think that, for now, Qubes Devs have made the correct decision on this. If this is extremely important to a user...perhaps consider building and packaging your own Qubes kernel variants with modified pci hotplug options and live with the security vulnerabilities that the Qubes Dev team believes is not a safe default. You would also set up those as default/non-default kernels in GRUB depending on use case. Perhaps utilize these custom kernels as default kernels specifically for a subset of physically secure workstations that need to dock. Lastly, combine with scripts to manage sys-net pci options, triggered via startup and/or hotplug events. -B -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a1755993-eb58-4df8-9c42-bbc1959ff9be%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: ThinkPad X270 USB C/Thunderbolt USB C type and docking station Qubes 4.0
torsdag den 21. marts 2019 kl. 11.34.10 UTC+1 skrev David Hobach: > > True, that is somewhat more advanced though. State-level attackers have > teams that can open and replace arbitrary hardware with malicious one > within 15 mins, yes. So if you fear them, don't leave your laptop > unattended anyway. > In contrast your colleague sitting next to you at work can plug in a USB > stick into your laptop and perform the thunderbolt attack whilst you're > at lunch. > Having someone physically take away your laptop or even dismantle it is > a lot more suspicious. > > Qubes OS is focusing on security and fortunately doesn't make security > tradeoffs even for usability. > > [1] http://thunderclap.io/ I have to say that I agree with Matthew on this. It seems kind of over the top, especially with no way to at least accept the risk and enable it anyway. Making it work the same as with USB devices seems like a good way to do this (without trying to make this issue trivial, it genuinely seems like a major pain point to design a proper solution and I completely respect that). I just think it seems overkill to not even have an option to enable it. I don't doubt at all that there are people out there who would be exposed if this was enabled by default, so I definitely respect and understand that. We are however able to enable USB support and exposure to dom0 when wanting to use a USB keyboard for instance. There is a fine warning in the documentation about it, so you as a user, know exactly what risk you are taking by doing so. If you are hired a place where you can use Qubes OS as your main OS, and you have colleagues who something like that, then I would maybe argue there is something inherently wrong with the working environment, but you are correct at any rate. I do not agree with the premise though! I will try out what Matthew suggested. Otherwise I guess I will just have to wait it out. Shame I didn't research better before I invested in it though :( Thank you for your input! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0c0512a5-bc36-426a-890a-5feb8801d2b2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: ThinkPad X270 USB C/Thunderbolt USB C type and docking station Qubes 4.0
You're doing all this, BTW, because rather than supporting Thunderbolt and PCIe hotplug (which are usually protected by that device authorization you have to disable), Qubes is trying to protect users with FireWire and ExpressCard that are fundamentally insecure. I hope those extra 4 times a day you enter your dom0 decryption key on boot while using a dock aren't putting that key at extra risk or incentivising you to use a weaker key. :( Yes, and that's also why Thunderbolt is disabled. It has full memory access and can likely bypass IOMMU = r/w access any VM on hotplug. So if you leave your laptop unattended for 5mins, someone can simply read/write the entire memory by just plugging in a USB type C stick into your thunderbolt port [1]. More broadly, I think the lack of hotplug support is a misguided trade-off that hampers the usability of Qubes and just creates one more barrier to adoption for users. Folks with firewire ports/expresscard slots and nation-state adversaries with physical access need to disable those ports/slots in BIOS rather than relying on lack of hotplug support to protect them. It's not that hard to hide something in an expresscard slot that will be there on boot, and then it's game over for dom0 even without hotplug. True, that is somewhat more advanced though. State-level attackers have teams that can open and replace arbitrary hardware with malicious one within 15 mins, yes. So if you fear them, don't leave your laptop unattended anyway. In contrast your colleague sitting next to you at work can plug in a USB stick into your laptop and perform the thunderbolt attack whilst you're at lunch. Having someone physically take away your laptop or even dismantle it is a lot more suspicious. Qubes OS is focusing on security and fortunately doesn't make security tradeoffs even for usability. [1] http://thunderclap.io/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/eb20546b-093a-1508-0adf-3afd30316446%40hackingthe.net. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature
[qubes-users] Re: ThinkPad X270 USB C/Thunderbolt USB C type and docking station Qubes 4.0
On Wednesday, March 20, 2019 at 8:33:27 AM UTC-4, a...@it-minds.dk wrote: > Hello qubes users! > > I currently acquired this dock > (https://www.dell.com/en-us/shop/dell-business-thunderbolt-dock-tb16-with-240w-adapter/apd/452-bcnu/pc-accessories), > and tried to connect it with my laptop, but it does not seem to work. > > I have found different posts here and there regarding the issue, and I think > the most common solution is turning on the computer with the cable attached. > This does NOT work however. > > I have not tried to boot up without attaching, and viewing lspci output, and > then comparing to when I have it connected. Will do that and post back if > there are no better suggestions for now. > > I have also NOT modified my kernel yet or done anything to the start up flags > (other than enabling USB devices in general, so I can use my keyboard and > mouse). > > I am running Qubes 4.0. > > Any help appreciated! > > Best regards! So there are 3 things I needed to do to get Thunderbolt docks to work on a laptop with Qubes: 1) Disable Thunderbolt device authorization in the laptop BIOS since we need the device to be online when Qubes is booting, rather than waiting for the OS to come online enough to authorize the device. If you had a Dell laptop some of them have an option to treat Dell docks differently which you may be able to use instead. 2) Have the dock plugged in and awake when Qubes is booting. Note that when booting from a cold shutdown you may need to connect the dock *after* the motherboard is powered on, but *before* the kernel boots -- one dock I tried needed this to wake up correctly and be awake before the kernel initialized PCI devices. 3) Manually add and remove PCI devices provided by the dock from individual Qubes (e.g. sysnet and sys-usb). The Qubes will no longer boot once the PCI devices are not present after you unplug the dock, but at the same time they can't be connected to the Qubes after boot since they don't have hotplug enabled. So when you get to your desk you'll need to reboot the laptop, then attach the PCI devices to sys-usb and sys-net, then restart those Qubes. Restarting sysnet and sys-usb often results in broken tray icons, so at that point you may also need to reboot the laptop (you can leave the dock connect during this IME). After you leave your desk you'll need to boot without the dock, remove the now-missing PCI devices from sys-net and sys-usb, and then reboot again to get everything working again. You're doing all this, BTW, because rather than supporting Thunderbolt and PCIe hotplug (which are usually protected by that device authorization you have to disable), Qubes is trying to protect users with FireWire and ExpressCard that are fundamentally insecure. I hope those extra 4 times a day you enter your dom0 decryption key on boot while using a dock aren't putting that key at extra risk or incentivising you to use a weaker key. :( More broadly, I think the lack of hotplug support is a misguided trade-off that hampers the usability of Qubes and just creates one more barrier to adoption for users. Folks with firewire ports/expresscard slots and nation-state adversaries with physical access need to disable those ports/slots in BIOS rather than relying on lack of hotplug support to protect them. It's not that hard to hide something in an expresscard slot that will be there on boot, and then it's game over for dom0 even without hotplug. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/15b958a1-1623-4d80-ab81-0ee291a71fde%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.